In summary, Ransomware has increased 200% since January 2015, and of course it is going to increase even more in 2017, is a quick money business and few companies are not prepared to prevent it or act.
Profitable business
In the first half of 2016, Ransomware campaign generated revenues of about $ 94 million dollars mainly in USA and Canada, is a big motivation for hackers to focus on such attacks and plan new goals: Hospitals, manufacturing, schools, NGOs, federations and so on. We can´t say «this is not an interest sector» it’s a matter of time to find a new profitable way to each sector, in Latin America, there are many medium and small enterprises (SMB) and government entities who have suffered these attacks, in spite of all initiatives, effort and taks to avoid it, there is no real or effective approach against this kind of malware.
How do I prepare?
Prevention is the best approach against ransomware, change the paradigm, «stop running behind the tail» current security solutions have added more layers of security (more complex) technological architecture, these layers are defined:
1. Antivirus and antimalware, this layer does not solve the ransonware problem, it is not designed to detect advanced malware, the antivirus works on «known good and known bad» but what about the unknown?
2. To deal with this problem “the unknown”, there is another layer, with a capacity to consult and share with other entities (BD malware in the cloud for example), to see if anyone in the world has been affected and the hash information is available to share. But, what if nobody has identified this file before?
3. This has included a third layer «Sandbox», a dedicated hardware or in the cloud with the ability to run the unknown file, interact with it to detect abnormal behavior or rummage through your code looking for «some piece of malicious code known» this is also known as dynamic and static analysis, but how long does this process? What is the user experience while this process is happening? What If the file is benign or proprietary code? When did I can run? If the attack is focused evasively and advanced techniques such as segmenting the code into several pieces, How a sandbox can detect it?
4. Given that we will need the «patient zero» or the first infection to effectively know that a code is malicious, then we must remove it from all devices in the network, that’s why there is another layer known as EDR «Endpoint Detection and Response «. finally we analyze the origin and go back to point 3 for further analysis.
We have described 4 layers of endpoint security involving additional licensing costs to deal with the problem of advanced malware (not to mention the whitelist, DLP, encryption, pointing to other use cases such as theft of information) techniques detection. When the solution can be simple in approach, although not as obvious in implantation.
And now, who can help us?
As I mentioned earlier, preventing returns to the spotlight as a much more effective solution against advanced malware detection. However, as any strategy we must always involve the three pillars of any organization: people, processes and technology. A security awareness plan to increase the sensitive of people in security incidents, alive, agile and effective processes to increase organizational intelligence and finally (and my approach) the right technology; insist conventional antivirus is not the solution against advanced malware, if someone is recommending an antivirus to your client to resolve this point, I suggest reevaluate and expand its proposal.
Again, the right technology, two concepts: artificial intelligence and machine intelligence or cognitive computing. Already exists in the market a solution that works based on artificial intelligence and cognitive computing, the outcomes have been amazing against advanced malware, statistics detection are higher versus traditional endpoint protection solution, including four (4) above layers, there is a trend or a blip in the coming years security companies that do not apply algorithms of Artificial Intelligence in the fight against advanced malware will be left behind, the artificial intelligence is not new, what is new is its application against advanced malware, these algorithms learn after analyzing hundreds of millions of malware samples of all types and manage to define mathematical models, these models are applied to new or unknown files resulting risk level of the file and based on this risk actions are taken.
Recommendation
Apply a holistic approach to the prevention strategy: people, processes and technology, selecting the right technology that uses artificial intelligence and machine learning, this will allow you to save time and have an effective barrier as people and processes are balanced.
In ADV Integrators and consultants we are available to support the cybersecurity strategy that will address the threats of advanced malware, which is and will be the main challenge to be solved by all who have the responsibility to improve the security posture of the organizations.
Jesús Dubront, CISM
Director
ADV Integradores y consultores
jesus.dubront@adv-ic.com | @jdubront | www.adv-ic.com | @adv_ic | Linkedin: ADV Integradores y consultores | Facebook:ADV Integradores y consultores
Blog Ciberseguridad ADV integradores y consultores 